From 06f43faefd0f212447b9776718ec61c5ebc6de61 Mon Sep 17 00:00:00 2001 From: darwinel Date: Sun, 9 Feb 2014 01:26:26 +0100 Subject: CodeIgniter support some basic web security by default! MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I think its better to enable this basic security options by default. It’s more likely that users who build a new website or application from ground up, and use CodeIgniter can get used to this and eventually turn this off. From a web security perspective, we can support a more secure web, by default! Who agrees? --- application/config/config.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/application/config/config.php b/application/config/config.php index ae748defd..4ee87ae24 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -302,11 +302,11 @@ $config['sess_driver'] = 'cookie'; $config['sess_valid_drivers'] = array(); $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 7200; -$config['sess_expire_on_close'] = FALSE; -$config['sess_encrypt_cookie'] = FALSE; +$config['sess_expire_on_close'] = TRUE; +$config['sess_encrypt_cookie'] = TRUE; $config['sess_use_database'] = FALSE; $config['sess_table_name'] = 'ci_sessions'; -$config['sess_match_ip'] = FALSE; +$config['sess_match_ip'] = TRUE; $config['sess_match_useragent'] = TRUE; $config['sess_time_to_update'] = 300; @@ -351,7 +351,7 @@ $config['standardize_newlines'] = TRUE; | COOKIE data is encountered | */ -$config['global_xss_filtering'] = FALSE; +$config['global_xss_filtering'] = TRUE; /* |-------------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From cf63aee92d7f337ac5a322e4185a9bc952a1d4f4 Mon Sep 17 00:00:00 2001 From: darwinel Date: Sun, 9 Feb 2014 02:04:23 +0100 Subject: Style Guide Logical Operators Use of || is discouraged as its clarity on some output devices is low (looking like the number 11 for instance). && is preferred over AND but either are acceptable, and a space should always precede and follow ! --- system/database/drivers/mssql/mssql_driver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php index 0836fa802..49711fec9 100644 --- a/system/database/drivers/mssql/mssql_driver.php +++ b/system/database/drivers/mssql/mssql_driver.php @@ -311,7 +311,7 @@ class CI_DB_mssql_driver extends CI_DB { .' FROM '.$this->escape_identifiers('sysobjects') .' WHERE '.$this->escape_identifiers('type')." = 'U'"; - if ($prefix_limit !== FALSE AND $this->dbprefix !== '') + if ($prefix_limit !== FALSE && $this->dbprefix !== '') { $sql .= ' AND '.$this->escape_identifiers('name')." LIKE '".$this->escape_like_str($this->dbprefix)."%' " .sprintf($this->_like_escape_str, $this->_like_escape_chr); -- cgit v1.2.3-24-g4f1b From 598c7eccf43a9e56547cd3eb45b2bc25c459847c Mon Sep 17 00:00:00 2001 From: darwinel Date: Sun, 9 Feb 2014 15:37:27 +0100 Subject: change back to original --- application/config/config.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/application/config/config.php b/application/config/config.php index 4ee87ae24..f36de913a 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -302,12 +302,12 @@ $config['sess_driver'] = 'cookie'; $config['sess_valid_drivers'] = array(); $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 7200; -$config['sess_expire_on_close'] = TRUE; -$config['sess_encrypt_cookie'] = TRUE; +$config['sess_expire_on_close'] = FALSE; +$config['sess_encrypt_cookie'] = FALSE; $config['sess_use_database'] = FALSE; $config['sess_table_name'] = 'ci_sessions'; -$config['sess_match_ip'] = TRUE; -$config['sess_match_useragent'] = TRUE; +$config['sess_match_ip'] = FALSE; +$config['sess_match_useragent'] = FALSE; $config['sess_time_to_update'] = 300; /* -- cgit v1.2.3-24-g4f1b From df1bd3b443eb728284c16f0cd7fc96e677383181 Mon Sep 17 00:00:00 2001 From: darwinel Date: Sun, 9 Feb 2014 15:39:03 +0100 Subject: back to original --- application/config/config.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/config/config.php b/application/config/config.php index f36de913a..ae748defd 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -307,7 +307,7 @@ $config['sess_encrypt_cookie'] = FALSE; $config['sess_use_database'] = FALSE; $config['sess_table_name'] = 'ci_sessions'; $config['sess_match_ip'] = FALSE; -$config['sess_match_useragent'] = FALSE; +$config['sess_match_useragent'] = TRUE; $config['sess_time_to_update'] = 300; /* @@ -351,7 +351,7 @@ $config['standardize_newlines'] = TRUE; | COOKIE data is encountered | */ -$config['global_xss_filtering'] = TRUE; +$config['global_xss_filtering'] = FALSE; /* |-------------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b